Receiving an indication of a security breach of a protected set of files

ABSTRACT

Embodiments include a system, a computer program product, an apparatus, a device, and a method. An embodiment provides a method. The method includes a tripwire file into a protected set of files that includes at least one normal file. The method facilitates a communication to a second party of at least a portion of the protected set of files. The method also receives a signal indicating an occurrence of an activity related to the tripwire file.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application may be related to the following listedapplication(s) (the “Related Applications”):

RELATED APPLICATIONS

United States Patent application entitled INDICATING A SECURITY BREACHOF A PROTECTED SET OF FILES naming Alexander J. Cohen; Edward K. Y.Jung; Royce A. Levien; Robert W. Lord; Mark A. Malamud; William HenryMangione-Smith; John D. Rinaldo, Jr.; Clarence T. Tegreene as inventors,U.S. Ser. No. ______, filed May 31, 2006.

United States Patent application entitled SIGNALING A SECURITY BREACH OFA PROTECTED SET OF FILES naming Alexander J. Cohen; Edward K. Y. Jung;Royce A. Levien; Robert W. Lord; Mark A. Malamud; William HenryMangione-Smith; John D. Rinaldo, Jr.; Clarence T. Tegreene as inventors,U.S. Ser. No. ______, filed May 31, 2006.

United States Patent application entitled MONITORING A STATUS OF ADATABASE BY PLACING A FALSE IDENTIFIER IN THE DATABASE naming AlexanderJ. Cohen; Edward K. Y. Jung; Royce A. Levien; Robert W. Lord; Mark A.Malamud; William Henry Mangione-Smith; John D. Rinaldo, Jr.; Clarence T.Tegreene as inventors, U.S. Ser. No. ______, filed May 31, 2006.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an exemplary general-purpose computing system inwhich embodiments may be implemented;

FIG. 2 illustrates an exemplary operational flow in which embodimentsmay be implemented;

FIG. 3 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 4 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 5 illustrates a further alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 6 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 7 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 8 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 9 illustrates a further alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 10 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 11 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 12 illustrates a further alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 13 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 14 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 15 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 16 illustrates a further alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIG. 17 illustrates another alternative embodiment of the exemplaryoperational flow of FIG. 2;

FIGS. 18A and 18B illustrates an environment in which an embodiment ofthe exemplary operational flow of FIG. 2 may be implemented;

FIG. 19 illustrates an exemplary environment in which embodiments may beimplemented;

FIG. 20 illustrates an exemplary apparatus in which embodiments may beimplemented;

FIG. 21 illustrates an exemplary environment in which embodiments may beimplemented;

FIG. 22 illustrates an exemplary operational flow in which embodimentsmay be implemented;

FIG. 23 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 22;

FIG. 24 illustrates another embodiment of the exemplary operational flowof FIG. 22;

FIG. 25 illustrates a further embodiment of the exemplary operationalflow of FIG. 22;

FIG. 26 illustrates another embodiment of the exemplary operational flowof FIG. 22.

FIG. 27 illustrates another embodiment of the exemplary operational flowof FIG. 22.

FIG. 28 illustrates a further embodiment of the exemplary operationalflow of FIG. 22.

FIG. 29 illustrates another embodiment of the exemplary operational flowof FIG. 22.

FIG. 30 illustrates an exemplary environment in which embodiments may beimplemented.

FIG. 31 illustrates an exemplary apparatus in which embodiments may beimplemented.

FIG. 32 illustrates an exemplary environment in which embodiments may beimplemented;

FIG. 33 illustrates an exemplary operational flow in which embodimentsmay be implemented;

FIG. 34 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 33;

FIG. 35 illustrates another embodiment of the exemplary operational flowof FIG. 33;

FIG. 36 illustrates a further embodiment of the exemplary operationalflow of FIG. 33;

FIG. 37 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 33;

FIG. 38 illustrates another embodiment of the exemplary operational flowof FIG. 33;

FIG. 39 illustrates a further embodiment of the exemplary operationalflow of FIG. 33;

FIG. 40 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 33;

FIG. 41 illustrates another embodiment of the exemplary operational flowof FIG. 33;

FIG. 42 illustrates a partial view of an exemplary computer programproduct;

FIG. 43 illustrates a partial view of an exemplary apparatus that mayimplement embodiments;

FIG. 44 illustrates a partial view of an exemplary operational flow inwhich embodiments may be implemented;

FIG. 45 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 44;

FIG. 46 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 44;

FIG. 47 illustrates another embodiment of the exemplary operational flowof FIG. 44;

FIG. 48 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 44;

FIG. 49 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 44;

FIG. 50 illustrates another embodiment of the exemplary operational flowof FIG. 44;

FIG. 51 illustrates a further embodiment of the exemplary operationalflow of FIG. 44;

FIG. 52 illustrates another embodiment of the exemplary operational flowof FIG. 44;

FIG. 53 illustrates a further embodiment of the exemplary operationalflow of FIG. 44;

FIG. 54 illustrates an exemplary environment in which embodiments may beimplemented;

FIG. 55 partially illustrates an exemplary environment in whichembodiments of the operational flow of FIG. 44 and/or the apparatus ofFIG. 54 may be implemented;

FIG. 56 illustrates an exemplary apparatus that may be used to implementembodiments;

FIG. 57 partially illustrates an exemplary operational flow in whichembodiments may be implemented;

FIG. 58 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 57;

FIG. 59 illustrates an alternative embodiment of the exemplaryoperational flow of FIG. 57;

FIG. 60 at least partially illustrates an exemplary embodiment of asystem that includes an exemplary computer-implemented device in whichembodiments may be implemented; and

FIG. 61 illustrates an exemplary environment that includes an exemplaryapparatus in which embodiments may be implemented.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings, which form a part hereof. In the drawings,similar symbols typically identify similar components, unless contextdictates otherwise. The illustrated embodiments described in thedetailed description, drawings, and claims are not meant to be limiting.Other embodiments may be utilized, and other changes may be made,without departing from the spirit or scope of the subject matterpresented here.

FIG. 1 illustrates an exemplary general-purpose computing system inwhich embodiments may be implemented, shown as a computing systemenvironment 100. Components of the computing system environment 100 mayinclude, but are not limited to, a computing device 110 having aprocessing unit 120, a system memory 130, and a system bus 121 thatcouples various system components including the system memory to theprocessing unit 120. The system bus 121 may be any of several types ofbus structures including a memory bus or memory controller, a peripheralbus, and a local bus using any of a variety of bus architectures. By wayof example, and not limitation, such architectures include IndustryStandard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus,Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA)local bus, and Peripheral Component Interconnect (PCI) bus, also knownas Mezzanine bus.

The computing system environment 100 typically includes a variety ofcomputer-readable media products. Computer-readable media may includeany media that can be accessed by the computing device 110 and includeboth volatile and nonvolatile media, removable and non-removable media.By way of example, and not of limitation, computer-readable media mayinclude computer storage media and communications media. Computerstorage media includes volatile and nonvolatile, removable andnon-removable media implemented in any method or technology for storageof information such as computer-readable instructions, data structures,program modules, or other data. Computer storage media include, but arenot limited to, random-access memory (RAM), read-only memory (ROM),electrically erasable programmable read-only memory (EEPROM), flashmemory, or other memory technology, CD-ROM, digital versatile disks(DVD), or other optical disk storage, magnetic cassettes, magnetic tape,magnetic disk storage, or other magnetic storage devices, or any othermedium which can be used to store the desired information and which canbe accessed by the computing device 110. Communications media typicallyembody computer-readable instructions, data structures, program modules,or other data in a modulated data signal such as a carrier wave or othertransport mechanism and include any information delivery media. The term“modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationsmedia include wired media such as a wired network and a direct-wiredconnection and wireless media such as acoustic, RF, optical, andinfrared media. Combinations of any of the above should also be includedwithin the scope of computer-readable media.

The system memory 130 includes computer storage media in the form ofvolatile and nonvolatile memory such as ROM 131 and RAM 132. A basicinput/output system (BIOS) 133, containing the basic routines that helpto transfer information between elements within the computing device110, such as during start-up, is typically stored in ROM 131. RAM 132typically contains data and program modules that are immediatelyaccessible to or presently being operated on by processing unit 120. Byway of example, and not limitation, FIG. 1 illustrates an operatingsystem 134, application programs 135, other program modules 136, andprogram data 137. Often, the operating system 134 offers services toapplications programs 135 by way of one or more application programminginterfaces (APIs) (not shown). Because the operating system 134incorporates these services, developers of applications programs 135need not redevelop code to use the services. Examples of APIs providedby operating systems such as Microsoft's “WINDOWS” are well known in theart. In an embodiment, an information store may include a computerstorage media. In a further embodiment, an information store may includea group of digital information storage devices. In another embodiment,an information store may include a quantum memory device.

The computing device 110 may also include other removable/non-removable,volatile/nonvolatile computer storage media products. By way of exampleonly, FIG. 1 illustrates a non-removable non-volatile memory interface(hard disk interface) 140 that reads from and writes to non-removable,non-volatile magnetic media, a magnetic disk drive 151 that reads fromand writes to a removable, non-volatile magnetic disk 152, and anoptical disk drive 155 that reads from and writes to a removable,non-volatile optical disk 156 such as a CD ROM. Otherremovable/nonremovable, volatile/non-volatile computer storage mediathat can be used in the exemplary operating environment include, but arenot limited to, magnetic tape cassettes, flash memory cards, DVDs,digital video tape, solid state RAM, and solid state ROM. The hard diskdrive 141 is typically connected to the system bus 121 through anon-removable memory interface, such as the interface 140, and magneticdisk drive 151 and optical disk drive 155 are typically connected to thesystem bus 121 by a removable non-volatile memory interface, such asinterface 150.

The drives and their associated computer storage media discussed aboveand illustrated in FIG. 1 provide storage of computer-readableinstructions, data structures, program modules, and other data for thecomputing device 110. In FIG. 1, for example, hard disk drive 141, isillustrated as storing an operating system 144, application programs145, other program modules 146, and program data 147. Note that thesecomponents can either be the same as or different from the operatingsystem 134, application programs 135, other program modules 136, andprogram data 137. The operating system 144, application programs 145,other program modules 146, and program data 147 are given differentnumbers here to illustrate that, at a minimum, they are differentcopies. A user may enter commands and information into the computingdevice 110 through input devices such as a microphone 163, keyboard 162,and pointing device 161, commonly referred to as a mouse, trackball, ortouch pad. Other input devices (not shown) may include a joystick, gamepad, satellite dish, and scanner. These and other input devices areoften connected to the processing unit 120 through a user inputinterface 160 that is coupled to the system bus, but may be connected byother interface and bus structures, such as a parallel port, game port,or a universal serial bus (USB). A monitor 191 or other type of displaydevice is also connected to the system bus 121 via an interface, such asa video interface 190. In addition to the monitor, computers may alsoinclude other peripheral output devices such as speakers 197 and printer196, which may be connected through an output peripheral interface 195.

The computing system environment 100 may operate in a networkedenvironment using logical connections to one or more remote computers,such as a remote computer 180. The remote computer 180 may be a personalcomputer, a server, a router, a network PC, a peer device, or othercommon network node, and typically includes many or all of the elementsdescribed above relative to the computing device 110, although only amemory storage device 181 has been illustrated in FIG. 1. The logicalconnections depicted in FIG. 1 include a local area network (LAN) 171and a wide area network (WAN) 173, but may also include other networkssuch as a personal area network (PAN) (not shown). Such networkingenvironments are commonplace in offices, enterprise-wide computernetworks, intranets, and the Internet.

When used in a LAN networking environment, the computing systemenvironment 100 is connected to the LAN 171 through a network interfaceor adapter 170. When used in a WAN networking environment, the computingdevice 110 typically includes a modem 172 or other means forestablishing communications over the WAN 173, such as the Internet. Themodem 172, which may be internal or external, may be connected to thesystem bus 121 via the user input interface 160, or via anotherappropriate mechanism. In a networked environment, program modulesdepicted relative to the computing device 110, or portions thereof, maybe stored in a remote memory storage device. By way of example, and notlimitation, FIG. 1 illustrates remote application programs 185 asresiding on computer storage medium 181. It will be appreciated that thenetwork connections shown are exemplary and other means of establishinga communications link between the computers may be used.

FIG. 1 is intended to provide a brief, general description of anillustrative and/or suitable exemplary environment in which embodimentsmay be implemented. An exemplary system may include the computing systemenvironment 100 of FIG. 1. FIG. 1 is an example of a suitableenvironment and is not intended to suggest any limitation as to thestructure, scope of use, or functionality of an embodiment. A particularenvironment should not be interpreted as having any dependency orrequirement relating to any one or combination of components illustratedin an exemplary operating environment. For example, in certaininstances, one or more elements of an environment may be deemed notnecessary and omitted. In other instances, one or more other elementsmay be deemed necessary and added.

In the description that follows, certain embodiments may be describedwith reference to acts and symbolic representations of operations thatare performed by one or more computing devices, such as the computingdevice 110 of FIG. 1. As such, it will be understood that such acts andoperations, which are at times referred to as being computer-executed,include the manipulation by the processing unit of the computer ofelectrical signals representing data in a structured form. Thismanipulation transforms the data or maintains them at locations in thememory system of the computer, which reconfigures or otherwise altersthe operation of the computer in a manner well understood by thoseskilled in the art. The data structures in which data is maintained arephysical locations of the memory that have particular properties definedby the format of the data. However, while an embodiment is beingdescribed in the foregoing context, it is not meant to be limiting asthose of skill in the art will appreciate that the acts and operationsdescribed hereinafter may also be implemented in hardware.

Embodiments may be implemented with numerous other general-purpose orspecial-purpose computing devices and computing system environments orconfigurations. Examples of well-known computing systems, environments,and configurations that may be suitable for use with an embodimentinclude, but are not limited to, personal computers, handheld or laptopdevices, personal digital assistants, multiprocessor systems,microprocessor-based systems, set top boxes, programmable consumerelectronics, network, minicomputers, server computers, game servercomputers, web server computers, mainframe computers, and distributedcomputing environments that include any of the above systems or devices.

Embodiments may be described in a general context of computer-executableinstructions, such as program modules, being executed by a computer.Generally, program modules include routines, programs, objects,components, data structures, etc., that perform particular tasks orimplement particular abstract data types. An embodiment may also bepracticed in a distributed computing environment where tasks areperformed by remote processing devices that are linked through acommunications network. In a distributed computing environment, programmodules may be located in both local and remote computer storage mediaincluding memory storage devices.

FIG. 2 illustrates an exemplary operational flow 200 in whichembodiments may be implemented. In an embodiment, the operational flowmay be implemented using the computing system environment 100 of FIG. 1.After a start operation, the operational flow moves to a plantingoperation 210. The planting operation causes a tripwire file to beincluded in a protected set of files that includes at least one normalfile. A discovery operation 290 detects an indicium of an activityrelated to the tripwire file. A warning operation 320 generates a signalindicating an occurrence of an unauthorized activity related to theprotected set of files in response to the detected indicium of anactivity related to the tripwire file. The operational flow then movesto a stop operation.

FIG. 3 illustrates an alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 212, an operation 214, and/or an operation 216.The operation 212 causes a tripwire file to be included in a protecteddatabase that includes at least one normal file. The operation 214causes a tripwire account having a limited functionality to be includedin a protected set of files that includes at least one regular accounthaving a full functionality. The operation 216 causes a record of atripwire account having a limited functionality to be included in aprotected set of files that includes at least one record of validaccount having a full functionality.

FIG. 4 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 218, an operation 222, and/or an operation 224.The operation 218 causes a tripwire file providing a limited benefit tobe included in a protected set of files that includes at least oneregular file providing a full benefit. The operation 222 causes atripwire file misleadingly appearing to provide a benefit to abeneficiary to be included in a protected set of files that includes atleast one regular file actually allowing provision of the benefit toanother beneficiary. The operation 224 causes a tripwire filefacilitating provision of a token and/or de minimis benefit to beincluded in a protected set of files that includes at least one regularfile facilitating provision of a full benefit.

FIG. 5 illustrates a further alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 226, an operation 228, and/or an operation 232.The operation 226 causes a tripwire file subtype to be included in aprotected set of files that includes at least one normal file subtype.The operation 228 causes a tripwire file to be associated with theprotected set of files that includes at least one normal file. Thetripwire file includes a structure usable in discriminating between atripwire file and a normal file. The operation 232 causes a tripwirefile to be associated with the protected set of files that includes atleast one normal file. The tripwire file includes an encrypted dataand/or a characteristic usable in discriminating between a tripwire fileand a normal file.

FIG. 6 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 234, an operation 236, and/or an operation 238.The operation 234 causes a tripwire file subtype to be associated with aprotected set of files that includes at least one normal file subtype.The tripwire file includes data and/or a characteristic usable indiscriminating between a tripwire file subtype and a normal filesubtype. The operation 236 causes a tripwire file and a tripwire fileidentification tool to be included in a protected set of files thatincludes at least one normal file. The operation 238 causes a tripwirefile to be included in a protected set of files that includes at leastone normal file. The operation 238 also causes a tripwire fileidentification tool to be included another set of files. The tripwirefile identification tool may include any tool useful in distinguishingbetween a normal file and a tripwire file. For example, the tripwirefile identification tool may indicate that a tripwire file may beidentified by dividing an account number by a digital representation ofthe account name, and if the result equals a known or predicted value,or range of values for tripwire accounts. Alternatively, a similarprocess may be used to identify non-tripwire accounts. By way of furtherexample, a tripwire file identification tool may include account dataand/or information within the tripwire account that indicates itscharacter as a tripwire account. The tripwire file identification toolmay be untransformed or it may transformed. For example, the tripwirefile identification tool may be hashed. The tripwire file identificationtool may be encoded, and/or encrypted.

FIG. 7 illustrates an alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 242, and/or an operation 244. The operation 242causes a tripwire file to be included in a protected set of files thatincludes at least one normal file. The operation 242 also creates anidentification file having a content useful in differentiating thetripwire file from the at least one normal file. The operation 242further stores the identification file in at least one of a sameinformation storage device that stores at least a portion of theprotected set of files and/or a different information storage devicefrom that which stores the at least a portion of the protected set offiles. The operation 244 causes a tripwire file to be included in aprotected database that includes at least one normal file. The operation248 also causes a tripwire file identification tool to be included inanother protected database.

FIG. 8 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 246, and/or an operation 248. The operation 246causes a tripwire file to be included in a protected set of files thatincludes at least one normal file. The tripwire file is at leastsubstantially lacking at least one of a name, an attribute, anassociation, an operation, an interaction, a collaboration, avisibility, a state, a generalization, a relationship, and/or aresponsibility of each file of the at least one normal file. Theoperation 248 causes a tripwire file to be included in a protected setof files that includes at least one normal file. The tripwire fileincludes at least one of a name, an attribute, an association, anoperation, an interaction, a collaboration, a visibility, a state, ageneralization, a relationship, and/or a responsibility that is at leastsubstantially different from each file of the at least one normal file.

FIG. 9 illustrates a further alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 252, and/or an operation 254. The operation 252causes a tripwire file to be included in a protected set of files thatincludes at least one normal file. The tripwire file has a property thatdoes not facilitate a return of an approval code in response to afinancial transaction card authorization request. Each normal file ofthe at least one normal file has a property that does facilitate areturn of an approval code in response to a financial transaction cardauthorization request. The operation 254 causes a tripwire file to beincluded in a protected set of files that includes at least one normalfile. The tripwire file has a property that does not facilitate a returnof an approval in response to a health insurance claim, and each normalfile of the at least one normal file has a property that does facilitatea return of an approval in response to a health insurance claim.

FIG. 10 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 256, an operation 258, and/or an operation 262.The operation 256 causes an inclusion in a protected set of files of atripwire file having a usability at least substantially limited tofacilitating detection of a security breach of the protected set offiles. The operation 258 causes a tripwire file to be included in aprotected set of files that includes at least one normal file. Theprotected set of files includes at least one of a collection ofinformation, a large amount of data stored in a computer system, and/ora set of related files that are managed by a set of files managementsystem. The operation 262 causes a tripwire file to be included in aprotected set of files that includes at least one normal file, access tothe protected set of files being limited by a security protocol.

FIG. 11 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 264, an operation 266, an operation 268, and/oran operation 272. The operation 264 causes a tripwire file to beincluded in a protected set of files that includes at least one normalfile. Access to the protected set of files is fortified against attack.The operation 266 causes a tripwire record to be included in a protectedrelational database that includes at least one normal record. Theoperation 268 causes a tripwire object to be included in a protectedobject orientated database that includes at least one normal object. Theoperation 272 causes a tripwire file to be included in a protected filesystem that includes at least one normal file.

FIG. 12 illustrates a further alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The planting operation 210 may includeat least one additional operation. The at least one additional operationmay include an operation 274. The operation 274 causes a tripwire fileto be included in a protected set of files that is subject to control byan owner and/or an administrator and that includes at least one normalfile. The operation 274 may include at least one additional operation,such as an operation 276. At the operation 276 the owner and/or theadministrator of the set of files includes at least one of a governmententity, a social security system, a retirement system, a drivers licensesystem, a passport system, an employer, a merchant, a service provider,a financial transaction card issuer, a merchant, a health care provider,a merchant bank, a financial transaction card association, a memberassociation, a stockbrokerage, a mutual fund, an insurance company,and/or a banking institution.

FIG. 13 illustrates an alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The discovery operation 290 may includeat least one additional operation. The at least one additional operationmay include an operation 292, an operation 294, and/or an operation 296.The operation 292 detects an indicium of at least one of an activityrelated to financial transaction card account, an activity related to abank account, an activity related to insurance policy, and/or anactivity related to a license holder that corresponds with the tripwirefile. The operation 294 detects an indicium of an activity related tothe tripwire file using an artificial intelligence. The operation 296detects an indicium of an activity related to the tripwire file inresponse to at least two instances of an activity related to thetripwire file.

FIG. 14 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The discovery operation 290 may includeat least one additional operation. The at least one additional operationmay include an operation 298, an operation 302, and/or an operation 304.The operation 298 detects at least one of an indicium of a credit cardcharge authorization request, an information request, an accountattribute change request, a funds transfer request, an inquiry, a query,a charge, a transaction, a transfer request, a deposit, a claim, acorrection, a change of attributes request, a payment, a refund request,and/or a benefit transfer related to the tripwire file. The operation302 detects an indicium of an activity related to a file of the set offiles and determines that the file of the set of files includes thetripwire file. The operation 304 detects an indicium of an activityrelated to a file of the protected set of files and identifies the fileas the tripwire file using a tripwire file identification tool.

FIG. 15 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The warning operation 320 may include atleast one additional operation. The at least one additional operationmay include an operation 322, an operation 324, and/or an operation 326.The operation 322 generates a signal indicating a source of anoccurrence of an unauthorized activity related to the protected set offiles in response to the detected indicium of an activity related to thetripwire file. The operation 324 generates a signal indicating anoccurrence of an unauthorized activity related to the tripwire file tothe protected set of files in response to the detected indicium of anactivity related to the tripwire file. The operation 326 generates anelectrical signal indicating an occurrence of an unauthorized activityrelated to the protected set of files in response to the detectedindicium of an activity related to the tripwire file.

FIG. 16 illustrates a further alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The warning operation 320 may include atleast one additional operation. The at least one additional operationmay include an operation 328, an operation 332, and/or an operation 334.The operation 328 generates a machine-readable signal indicating anoccurrence of an unauthorized activity related to the protected set offiles in response to the detected indicium of an activity related to thetripwire file. The operation 332 generates a human-perceivableindication of an unauthorized activity related to the protected set offiles in response to the detected indicium of an activity related to thetripwire file. The operation 334 generates an indication of theunauthorized activity related to the protected set of files that isperceivable by the set-of-files owner and/or the set-of-filesadministrator.

FIG. 17 illustrates another alternative embodiment of the exemplaryoperational flow 200 of FIG. 2. The exemplary operational flow mayinclude at least one additional operation 350. The at least oneadditional operation 350 may include an operation 352, and/or anoperation 354. The operation 352 broadcasts a human-understandableindication of an occurrence of the unauthorized activity related to theprotected set of files. The operation 354 facilitates application of asecurity measure to the protected set of files.

FIGS. 18A and 18B illustrates an environment 400 in which an embodimentof the exemplary operational flow 200 of FIG. 2 may be implemented.FIGS. 18A and 18B schematically illustrate a credit card processingenvironment that is simplified for the purposes of illustration. Acardholder obtains a credit card from a Card-Issuing Bank 430. Thecredit card may be a card branded by an association, such as forillustrative purposes, a VISA® card or MASTERCARD® card, or the creditcard may be a brand owned and issued by the Card-Issuing Bank 430, suchas for illustrative purposes, an AMERICAN EXPRESS® card or DISCOVER®card. The Card-Issuing Bank may maintain a record of cards issued by itin a protected set of files. The protected set of files may include manynormal credit card files each respectively indicating a customer name,an account number, a billing address, a history of charges, a history ofpayments, and other relevant information. Even though protected in amanner selected by the Card-Issuing Bank, at least a portion theprotected set of files may experience an unauthorized access or a theftwith an ultimate goal of incurring fraudulent charges against the creditcard accounts reflected in the set of files.

FIG. 18A illustrates an environment that includes an aspect of a creditcard transaction. A merchant may enter a customer's credit card numberinto their card reader or terminal, illustrated as a Merchant's point ofsale unit 410, in conjunction with a transaction. An authorizationrequest is communicated to an intermediary and/or intermediaries,illustrated as a Processor 420. The Processor communicates theauthorization request to the bank that issued the credit card to thecustomer, illustrated as the Card-Issuing Bank 430. The Card-IssuingBank checks the authorization request against the normal credit cardfile for the customer in its protected set of files, and if appropriate,returns an approval code to the Processor. The Processor returns theapproval code to the Merchant's point of sale unit. The merchanttypically then completes the transaction and the customer receives thegoods.

FIG. 18B illustrates an environment that occurs after the aspect of thecredit card transaction illustrated in FIG. 18A. During a reportingperiod, typically at the end of a day, the Merchant through theMerchant's point of sale unit 410 communicates the transactions,illustrated as “sales drafts with authorization code” for the reportingperiod to the Processor 420. The Processor communicates each transactionto each customer's card-issuing bank, illustrated as “interchangerequest with authorization code” to the Card-Issuing Bank 430. TheCard-Issuing Bank communicates the proceeds, illustrated as “sale amountminus interchange fee” to the Merchant's Bank 440, which deposits the“sales amount minus discount percentage” and any other charges into theMerchant's bank account 445.

At least one entity of the Merchant's point of sale unit 410, theProcessor 420, and/or the Card-Issuing Bank 430 illustrated in FIGS. 18Aand 18B is likely to maintain a protected set of files. In anembodiment, the protected set of files include at least one normal filecorresponding in some manner to the customer's credit card, thecustomer's account information, the transaction, and/or similar recordsof other customers and other transactions. A protected set of filesmaintained by the Card-Issuing Bank 430 is used to illustrate anembodiment of the exemplary operational flow 200 of FIG. 2. A tripwirefile is caused to be included in the protected set of files maintainedby the Card-Issuing Bank that includes at least one normal account. Forexample, the tripwire file may include a record of a tripwire creditcard account having a limited functionality. In an alternativeembodiment, at least two tripwire files are caused to be included in theprotected set of files. The at least one normal account includes leastone record of valid credit card account having a full functionality.

An indicium of an activity related to the tripwire file is detected. Forexample, a detected indicium of activity related to the tripwire filemay include a receipt from the Processor 420 of the credit card charge“authorization request” by the Card-Issuing Bank 430 as illustrated inFIG. 18A. By way of further example, a detected indicium of activity mayinclude at least one of an information request, an account attributechange request, a funds transfer request, an inquiry, a query, a charge,a transaction, a transfer request, a deposit, a claim, a correction, achange of attributes request, a payment, a refund request, and/or abenefit transfer related to the tripwire file. Since the tripwireaccount has only limited functionality and is not associated with a realcustomer, any activity with respect to the tripwire account may indicatean unauthorized access or theft of the protected set of files thatincludes the tripwire account has occurred.

A signal is generated indicating an occurrence of an unauthorizedactivity related to the protected set of files in response to thedetected indicium of an activity related to the tripwire file. Forexample, the generated signal may include a human-perceivable indicationof an unauthorized activity related to the protected set of files inresponse to the detected indicium of an activity related to the tripwirefile. By way of further example, the generated signal may include amachine-readable signal indicating an occurrence of an unauthorizedactivity related to the protected set of files in response to thedetected indicium of an activity related to the tripwire file. Themachine-readable signal may be used to activate an additional securityor protection for the set of files.

In another embodiment, the exemplary operational flow 200 of FIG. 2 maybe used to indicate a security breach of protected file sets in otherindustries. For example, a health insurer may cause a tripwire healthinsurance file to be included in a protected set of health insurancefiles that includes at least one normal health insurance file. By way offurther example, a governmental unit, such as US Department of VeteransAffairs, may cause a tripwire veterans file to be included in aprotected set of veterans files that includes at least one normalveterans file.

FIG. 19 illustrates an exemplary environment 500 in which embodimentsmay be implemented. Components of the exemplary environment include anapparatus 510, a network, a second party apparatus 592, a third partyapparatus 594, and a fourth party apparatus 596. The apparatus 510includes a marker circuit 532 for saving a tripwire file 528 in aprotected set of files 524 that includes at least one normal file 526.The apparatus also includes a monitor circuit 534 for detecting anindicium of an activity related to the tripwire file. The apparatusfurther includes a notification circuit 536 for generating a signalindicating an occurrence of an unauthorized activity related to theprotected set of files in response to the detected indicium of anactivity related to the tripwire file.

In an embodiment, the marker circuit 532 further includes a markercircuit for saving a tripwire file in a protected database that includesat least one normal file. In another embodiment, the marker circuitfurther includes a marker circuit for saving a tripwire filemisleadingly appearing to allow provision of a benefit to a beneficiaryinto a protected set of files that includes at least one regular fileactually allowing provision of the benefit to another beneficiary. In afurther embodiment, the marker circuit further includes a marker circuitfor saving a tripwire file in a protected set of files that includes atleast one normal file. In an embodiment, the tripwire file has aproperty that does not facilitate a return of an approval in response toa health insurance claim. Each normal file of the at least one normalfile has a property that does facilitate a return of an approval inresponse to a health insurance claim. In an embodiment, the markercircuit further includes a marker circuit for causing a tripwire filesubtype to be included in a protected set of files of files thatincludes at least one normal file subtype. In another embodiment, themarker circuit further includes a marker circuit for causing a tripwirefile and a tripwire file identification tool to be included in aprotected set of files that includes at least one normal file. In afurther embodiment, the marker circuit further includes a marker circuitfor causing a tripwire file to be included in a protected set of filesthat includes at least one normal file and for causing a tripwire fileidentification tool to be included in another set of files.

In an embodiment, the monitor circuit 534 further includes a monitorcircuit for detecting an indicium of an activity related to the tripwirefile 528 in response to at least two instances of an activity related tothe tripwire file. In another embodiment, the monitor circuit furtherincludes a monitor circuit for detecting at least one of an indicium ofa credit card charge authorization request, an account informationchange request, a funds transfer request, an inquiry, a query, a charge,a transaction, a claim, a correction, a change of attributes request, arefund, and/or a benefits transfer related to the tripwire file.

In an embodiment, the notification circuit 536 further includes anotification circuit for generating an electrical signal indicating anoccurrence of an unauthorized activity related to the protected set offiles 524 in response to the detected indicium of an activity related tothe tripwire file 528. In a further embodiment, the notification circuitfurther includes a notification circuit for generating ahuman-perceptible indication of an occurrence of an unauthorizedactivity related to the protected set of files in response to thedetected indicium of an activity related to the tripwire file.

In an embodiment, the apparatus 510 may further include a sentry circuit542 for broadcasting a human-understandable indication of the occurrenceof an unauthorized activity related to the protected set of files 524 inresponse to the detected indicium of an activity related to the tripwirefile 528. In another embodiment, the apparatus may further include afortification circuit 544 for facilitating application of a securitymeasure to the protected set of files in response to the detectedindicium of an activity related to the tripwire file. In furtherembodiment, the apparatus may include the fortification circuit forfacilitating application of a security measure to another set of filesin response to the detected indicium of an activity related to thetripwire file.

In an embodiment, the apparatus 510 may be used to implement theoperational flow 200 of FIG. 2 in the environment illustrated in FIGS.18A and 18B. For example, the Card-Issuing Bank 430 of FIG. 18A mayemploy the apparatus and the operational flow to discover a securitybreach to its protected set of files that includes its normal creditcard files. By way of further example, the Processor 420 of FIG. 18A mayemploy the apparatus and the operational flow to discover a securitybreach to any protected set of files it maintains.

FIG. 20 illustrates an exemplary apparatus 600 in which embodiments maybe implemented. The apparatus includes a means 610 for causing atripwire file to be included in a protected set of files that includesat least one normal file. The apparatus also includes a means 620 fordetecting an indicium of an activity related to the tripwire file. Theapparatus further includes a means 630 for generating a signalindicating an occurrence of an unauthorized activity related to theprotected set of files in response to the detected indicium of anactivity related to the tripwire file.

In an embodiment, the apparatus 600 may include a means 640 forbroadcasting a human-understandable indication of an occurrence of anunauthorized activity related to the protected set of files. In anotherembodiment, the apparatus may include a means 650 for facilitatingapplication of a security measure to the protected set of files.

FIG. 21 illustrates an exemplary environment 700 in which embodimentsmay be implemented. The exemplary environment includes an apparatus 710,a network, a second apparatus 792, a third apparatus 794, and/or afourth apparatus 796. The apparatus 710 includes an information store720 configurable by a database 722 that includes at least one fullyoperational account 724 and a limited operational account 726. Theapparatus 710 also includes a database manager device 730. The databasemanager includes a monitor module 732 operable to detect a sign of anactivity related to the limited operational account, and an alert module734 operable to generate signal indicating an unauthorized activityrelated to the database in response to the detected sign of an activityrelated to the limited operational account.

In an embodiment, the information store 720 includes a computer storagemedia and/or a quantum memory device. In another embodiment, theinformation store further includes an information store configured by adatabase 722 that includes a record of at least one fully operationalaccount 724 and a record of a limited operational account 726. In afurther embodiment, the information store further includes aninformation store configured by a database that includes a record of atleast one account facilitating provision of a benefit and a record of alimited operational account not facilitating provision of the benefit.In another embodiment, the information store further includes aninformation store configured by a database that includes at least onenormal credit card account subtype and a limited operational credit cardaccount subtype.

In an embodiment, the monitor module 732 further includes a monitormodule operable to detect a sign of at least one of a financialtransaction card charge authorization request, an account informationchange request, a funds transfer request, an inquiry, a query, a charge,a transaction, a claim, a correction, a change of attributes request, arefund, and/or a benefit transfer related to the limited operationalaccount. In another embodiment, the alert module 734 further includes analert module operable to generate an electronic signal indicating anunauthorized activity related to the database 722 in response to thedetected sign of an activity related to the limited operational account726. In a further embodiment, the alert module further includes an alertmodule operable to generate a human-understandable indication of anunauthorized activity related to the database in response to thedetected sign of an activity related to the limited operational account.

In an embodiment, the database manager device 730 further includes acommunications module 736 operable to broadcast a human-understandableindication of an occurrence of an unauthorized activity related to thedatabase 722 in response to the detected sign of an activity related tothe limited operational account 726. In another embodiment, the databasemanager device further includes a fortification module 738 operable tofacilitate changing a protection status of the database in response tothe detected sign of an activity related to the limited operationalaccount.

In use, the apparatus 710 may be used to implement the operational flow200 of FIG. 2 in the environment illustrated in FIGS. 18A and 18B. Forexample, the Card-Issuing Bank 430 of FIG. 18A may employ the apparatusand the operational flow to discover a security breach to its protectedset of files that includes its normal credit card files. By way offurther example, the Processor 420 of FIG. 18A may employ the apparatusand the operational flow to discover a security breach to any protectedset of files it maintains.

FIG. 22 illustrates an exemplary operational flow 800 in whichembodiments may be implemented. After a start operation, the operationalflow moves a discovery operation 810. The discovery operation detects asign of an activity related to a tripwire file of a protected set offiles. The protected set of files includes at least one normal file anda tripwire file. A warning operation 840 generates a signal indicatingan unauthorized activity related to the protected set of files inresponse to the detected sign of an activity related to the tripwirefile. The operational flow then moves to an end operation.

FIG. 23 illustrates an alternative embodiment of the exemplaryoperational flow 800 of FIG. 22. The discovery operation 810 may includeat least one additional operation. The at least one additional operationmay include an operation 812, an operation 814, and/or an operation 816.The operation 812 detects a sign of an activity related to a tripwirefile of a protected database, the protected database including at leastone normal file and a tripwire file. The operation 814 detects a sign ofat least one of an activity related to a tripwire financial transactioncard account, an activity related to a tripwire bank account, anactivity related to tripwire insurance policy, and/or an activityrelated to a tripwire license. The operation 816 detects a sign of anactivity related to the tripwire file in response to at least twoinstances of an activity related to the tripwire file.

FIG. 24 illustrates another embodiment of the exemplary operational flow800 of FIG. 22. The discovery operation 810 may include at least oneadditional operation. The at least one additional operation may includean operation 818, an operation 822, and/or an operation 824. Theoperation 818 detects at least one of a sign of a credit card chargeauthorization request, an information request, an account attributechange request, a funds transfer request, an inquiry, a query, a charge,a transaction, a transfer request, a deposit, a payment, a claim, acorrection, a change of attributes request, a refund request, and/or abenefit transfer related to the tripwire file. The operation 822 detectsa sign of an activity related to a file of the set of files anddetermines that the file of the set of files includes the tripwire file.The operation 824 detects a sign of an activity related to a file of theprotected set of files and identifying the file as the tripwire fileusing a tripwire file identification tool.

FIG. 25 illustrates a further embodiment of the exemplary operationalflow 800 of FIG. 22. The warning operation 840 may include at least oneadditional operation. The at least one additional operation may includean operation 842, an operation 844, and/or an operation 846. Theoperation 842 generates a signal indicating a source of an occurrence ofan unauthorized activity related to the protected set of files inresponse to the detected sign of an activity related to a tripwire file.The operation 844 generates a signal indicating an occurrence of anunauthorized activity related to the tripwire file of the protected setof files in response to the detected sign of an activity related to atripwire file. The operation 846 generates an electrical signalindicating an occurrence of an unauthorized activity related to theprotected set of files in response to the detected sign of an activityrelated to a tripwire file.

FIG. 26 illustrates another embodiment of the exemplary operational flow800 of FIG. 22. The warning operation 840 may include at least oneadditional operation. The at least one additional operation may includean operation 848, and/or an operation 852. The operation 848 generates amachine-readable signal indicating an occurrence of an unauthorizedactivity related to the protected set of files in response to thedetected sign of an activity related to a tripwire file. The operation852 generates a human-perceivable indication of an occurrence of anunauthorized activity related to the protected set of files in responseto the detected sign of an activity related to a tripwire file.

FIG. 27 illustrates another embodiment of the exemplary operational flow800 of FIG. 22. The operational flow may include at least one additionaloperation. The at least one additional operation may include anoperation 870. The operation 870 receives from another party theprotected set of files that includes the at least one normal file andthe tripwire file. The operation 870 may include at least one additionaloperation, such as an operation 872 and/or an operation 874. Theoperation 872 receives from another party at least a portion of theanother parties' protected set of files that includes the at least onenormal file and the tripwire file. The operation 874 receives fromanother party a transformed and/or an encrypted portion of the anotherparties' protected set of files that includes the at least one normalfile and the tripwire file. The another parties protected set of filesmay include a protected set of files maintained and/or operated by theanother, and/or may include a protected set of files received from athird party by the another.

FIG. 28 illustrates a further embodiment of the exemplary operationalflow 800 of FIG. 22. The operational flow may include at least oneadditional operation 880. The operation 880 may include an operation 882and/or an operation 884. The operation 882 broadcasts ahuman-understandable indication of an occurrence of an unauthorizedactivity related to the protected set of files. The operation 884facilitates application of a security measure to the protected set offiles.

FIG. 29 illustrates another embodiment of the exemplary operational flow800 of FIG. 22. The at least one additional operation 880 of FIG. 28 mayinclude at least one addition operation, such as an operation 886. Theoperation 886 transmits an indication of an occurrence of anunauthorized activity related to the protected set of files in a mannerreceivable by an owner and/or administrator of the protected set offiles. The operation 886 may include at least one additional operation,such as an operation 888. At the operation 888, the owner and/or theadministrator of the protected set of files includes at least one of agovernment entity, a social security system, a retirement system, adrivers license system, a passport system, an employer, a merchant, aservice provider, a financial transaction card issuer, a credit cardissuer, a credit card processor, a merchant, a health care provider, amerchant banking institution, a credit card association, a memberassociation, a stockbrokerage, a mutual fund, an insurance company,and/or a banking institution.

In an embodiment, the operational flow 800 of FIG. 22 may be implementedin the environment illustrated in FIGS. 18A and 18B. For example, theCard-Issuing Bank 430 of FIG. 18A the operational flow to discover asecurity breach to its protected set of files that includes its normalcredit card files. By way of further example, the Processor 420 of FIG.18A may employ the apparatus and the operational flow to discover asecurity breach to a protected set of files maintained by theCard-Issuing Bank.

FIG. 30 illustrates an exemplary environment 900 in which embodimentsmay be implemented. The exemplary environment includes the apparatus 510described in conjunction with FIG. 19 and an apparatus 910. Theapparatus 910 includes a monitoring circuit 932 and an alert circuit934.

The monitoring circuit 932 includes a monitoring circuit for detecting asign of an activity related to a tripwire file of a protected set offiles, the protected set of files including at least one normal file 926and a tripwire file 928. The protected set of files may include an atleast a portion of the protected set of files 924 communicated from theprotected set of files 520. In an embodiment, the at least a portion ofthe protected set of files may be saved in an information store 922local to the apparatus 910. In another embodiment, the protected set offiles may be saved in a remote information store (not shown) availableto the apparatus 910 over the network. In a further embodiment, theprotected set of files may be saved in the remote information 522 storeavailable to the apparatus 910 over the network. The alert circuitincludes an alert circuit for generating a signal indicating anunauthorized activity related to the protected set of files in responseto the detected sign of an activity related to a tripwire file.

In an alternative embodiment, the apparatus 910 includes acommunications circuit 936 for receiving from another party theprotected set of files that includes the at least one normal file andthe tripwire file. In a further embodiment, the communications circuitfurther includes a communications circuit for transmitting an indicationof an occurrence of an unauthorized activity related to the protectedset of files in a manner receivable by an owner and/or administrator ofthe protected set of files in response to the detected sign of anactivity related to a tripwire file. For example, the owner and/oradministrator of the protected set of files may include the databaseowner/administrator 505. In another alternative embodiment, theapparatus 910 includes a guard circuit 938 for facilitating applicationof a security measure to the protected set of files in response to thedetected sign of an activity related to a tripwire file.

FIG. 31 illustrates an exemplary apparatus 1000 in which embodiments maybe implemented. The apparatus includes a means 1010 for detecting a signof an activity related to a tripwire file of a protected set of files,the protected set of files including at least one normal file and atripwire file. The apparatus also includes a means 1020 for generating asignal indicating an unauthorized activity related to the protected setof files in response to the detected sign of an activity related to atripwire file.

In an alternative embodiment, the apparatus 1000 includes a means 1030for receiving from another party at least a portion of the anotherparties' protected set of files that includes the at least one normalfile and the tripwire file. In a further embodiment, the apparatusincludes a means 1040 for broadcasting a human-understandable indicationof an occurrence of an unauthorized activity related to the protectedset of files. In another embodiment, the apparatus includes a means 1050for transmitting an indication of an occurrence of an unauthorizedactivity related to the protected set of files in a manner receivable byan owner and/or administrator of the protected set of files. In anembodiment, the apparatus includes a means 1060 for facilitatingapplication of a security measure to the protected set of files inresponse to the detected sign of an activity related to a tripwire file.

FIG. 32 illustrates an exemplary environment 900 in which embodimentsmay be implemented. The exemplary environment includes an apparatus 1110and an apparatus 1150. The apparatus 1110 includes an apparatus at leastsubstantially similar to the apparatus 510 described in conjunction withFIG. 30. The apparatus 1150 includes a communications device 1172, aninformation store 1162, a processor 1174, and a database manager circuit1180.

The communications device 1172 includes a communications device operableto receive an at least a portion of a protected database 1164 thatincludes at least one fully operational account 1166 and a limitedoperational tripwire account 1168. In an embodiment, the operability toreceive an at least a portion of a protected database includes anoperability to receive at least a portion of a protected database 1124of apparatus 1110. The information store 1162 includes an informationstorage device configurable by a received at least a portion of aprotected database. In another embodiment, the information store furtherincludes an information store configured by the received at least aportion of a protected database.

The database manager circuit 1180 includes a recognizer module 1186operable to detect a sign of an activity related to the limitedoperational tripwire account. The database manager circuit furtherincludes an alert module 1188 operable to generate signal indicating anunauthorized activity related to the received at least a portion of adatabase 1164 in response to the detected sign of an activity related toa limited operational tripwire account 1168. In a further embodiment,the alert module further includes an alert module operable to generatesignal indicating an unauthorized activity related to the received atleast a portion of a database and to transmit the signal in a mannerreceivable by an owner and/or administrator 1105 of the received atleast a portion of a database.

FIG. 33 illustrates an exemplary operational flow 1200 in whichembodiments may be implemented. After a start operation, the operationalflow moves to an implanting operation 1210. The implanting operationincludes a tripwire file into a protected set of files that includes atleast one normal file. A transmission operation 1260 facilitates acommunication to a second party of at least a portion of the protectedset of files. An acquisition operation 1270 receives a signal indicatingan occurrence of an activity related to the tripwire file. Theoperational flow then moves to an end operation.

FIG. 34 illustrates an alternative embodiment of the exemplaryoperational flow 1200 of FIG. 33. The implanting operation 1210 mayinclude at least one additional operation. The at least one additionaloperation may include an operation 1212, an operation 1214, an operation1216, and/or an operation 1218. The operation 1212 includes a tripwirefile into a protected database that includes at least one normal file.The operation 1214 includes a tripwire account has a limitedfunctionality into a protected set of files that includes at least oneregular account having a full functionality. The operation 1216 includesa record of a tripwire account having a limited functionality into aprotected set of files that includes at least one record of validaccount having a full functionality. The operation 1218 includes atripwire file providing a limited benefit into a protected set of filesthat includes at least one regular file providing a full benefit.

FIG. 35 illustrates another embodiment of the exemplary operational flow1200 of FIG. 33. The implanting operation 1210 may include at least oneadditional operation. The at least one additional operation may includean operation 1222, an operation 1224, and/or an operation 1226. Theoperation 1222 includes a tripwire file misleadingly appearing to allowprovision of a benefit to a beneficiary into a protected set of filesthat includes at least one regular file actually allowing provision ofthe benefit to another beneficiary. The operation 1224 includes atripwire file facilitating provision of a token and/or de minimisbenefit into a protected set of files that includes at least one regularfile facilitating provision of a full benefit. The operation 1226includes a tripwire file subtype into a protected set of files thatincludes at least one normal file subtype.

FIG. 36 illustrates a further embodiment of the exemplary operationalflow 1200 of FIG. 33. The implanting operation 1210 may include at leastone additional operation. The at least one additional operation mayinclude an operation 1228, and/or an operation 1232. The operation 1228includes a tripwire file subtype into a protected set of files thatincludes at least one normal file subtype, wherein the tripwire fileincludes data and/or a characteristic usable in discriminating between atripwire file subtype and an normal file subtype. The operation 1232includes a tripwire file and a tripwire file identification tool into aprotected set of files that includes at least one normal file. Theoperation 1232 may include at least one additional operation, such as anoperation 1234. The operation 1234 causes a tripwire file to be includedin a protected set of files that includes at least one normal file andcauses a tripwire file identification tool to be included another set offiles.

FIG. 37 illustrates an alternative embodiment of the exemplaryoperational flow 1200 of FIG. 33. The implanting operation 1210 mayinclude at least one additional operation. The at least one additionaloperation may include an operation 1236, and/or an operation 1238. Theoperation 1236 includes a tripwire file into a protected set of filesthat includes at least one normal file. The tripwire file is at leastsubstantially lacking at least one of a name, an attribute, anassociation, an operation, an interaction, a collaboration, avisibility, a state, a generalization, a relationship, and/or aresponsibility element present in the at least one normal file. Theoperation 1238 includes a tripwire file into a protected set of filesthat includes at least one normal file. The tripwire file has at leastone of a name, an attribute, an association, an operation, aninteraction, a collaboration, a visibility, a state, a generalization, arelationship, and/or a responsibility that is at least substantiallydifferent from each file of the at least one normal file.

FIG. 38 illustrates another embodiment of the exemplary operational flow1200 of FIG. 33. The implanting operation 1210 may include at least oneadditional operation. The at least one additional operation may includean operation 1242, and/or an operation 1244. The operation 1242 includesa tripwire file in a protected set of files that includes at least onenormal file. The tripwire file has a property that does not facilitatereturn of an approval code in response to a credit card authorizationrequest. Each normal file of the at least one normal file has a propertythat does facilitate return of an approval code in response to a creditcard authorization request. The operation 1244 includes a tripwire fileinto a protected set of files that includes at least one normal file.The tripwire file has a property that does not facilitate a return of anapproval in response to a health insurance claim. Each normal file ofthe at least one normal file has a property that does facilitate areturn of an approval in response to a health insurance claim.

FIG. 39 illustrates a further embodiment of the exemplary operationalflow 1200 of FIG. 33. The implanting operation 1210 may include at leastone additional operation, such as the operation 1246. The operation 1246includes in a protected set of files a tripwire file having a usabilityat least substantially limited to facilitating detection of a securitybreach of the protected set of files. The transmission operation 1260may include at least one additional operation, such as the operation1262. The operation 1262 facilitates a communication to a second partyof at least a portion of the protected set of files in at least one ofan untransformed, a transformed, and/or a secure configuration.

FIG. 40 illustrates an alternative embodiment of the exemplaryoperational flow 1200 of FIG. 33. The communication operation 1270 mayinclude at least one additional operation. The at least one additionaloperation may include an operation 1272, and/or an operation 1274. Theoperation 1272 receives a signal originated by at least one of thesecond party and/or by a third party and indicating an occurrence of anactivity related to the tripwire file. The operation 1274 receives asignal indicating an occurrence of an activity related to the tripwirefile. The activity includes at least one of a credit card chargeauthorization request, an information request, an account attributechange request, a funds transfer request, an inquiry, a query, a charge,a transaction, a transfer request, a deposit, a claim, a correction, achange of attributes request, a payment, a refund request, and/or abenefit transfer related to the tripwire file.

FIG. 41 illustrates another embodiment of the exemplary operational flow1200 of FIG. 33. The operational flow may include at least oneadditional operation 1290. The at least one additional operation mayinclude an operation 1292, and/or an operation 1294. The operation 1292in response to the receiving a signal indicating an occurrence of anactivity related to the tripwire file, generates a human-perceivablesignal indicating an occurrence of an unauthorized activity related tothe protected set of files. The operation 1294 facilitates anapplication of a security measure to the protected set of files inresponse to the receiving a signal indicating an occurrence of anactivity related to the tripwire file.

FIG. 42 illustrates a partial view of an exemplary computer programproduct 1300. The computer program product includes program instruction1304 and a computer-readable signal-bearing medium 1302 bearing theprogram instructions. The computer program product encodes the computerprogram instructions as computer executable instructions operable toperform a process in a computing device. The process includes a tripwirefile into a protected set of files that includes at least one normalfile. The process also facilitates a communication to a second party ofat least a portion of the protected set of files. The process furtherreceives a signal indicating an occurrence of an activity related to thetripwire file.

In an alternative embodiment, the process further includes generating1306 a signal indicating an occurrence of an unauthorized activityrelated to the protected set of files in response to the received signalindicating an occurrence of an activity related to the tripwire file. Inanother embodiment, the process further includes facilitating 1308application of a security measure to the protected set of files inresponse to the received signal indicating an occurrence of an activityrelated to the tripwire file. In an alternative embodiment, the computerprogram product 1300 may be implemented in hardware, software, and/orfirmware.

In a further embodiment, the computer-readable signal-bearing mediumincludes a computer storage medium 1312. In another embodiment, thecomputer-readable signal-bearing medium includes a communication medium1314.

FIG. 43 illustrates a partial view of an exemplary apparatus 1400 thatmay implement embodiments. The apparatus includes a means 1410 forincluding a tripwire file into a protected set of files that includes atleast one normal file. The apparatus also includes a means 1420 forfacilitating a communication to a second party of at least a portion ofthe protected set of files. The apparatus further includes a means 1430for receiving a signal indicating an occurrence of an activitycorresponding to the tripwire file.

In an alternative embodiment, the apparatus includes a means 1440 forfacilitating application of a security measure to the protected set offiles in response to the received signal indicating an occurrence of anactivity corresponding to the tripwire file. In another embodiment, theapparatus includes a means 1450 for generating a human-perceivablesignal indicating an occurrence of an unauthorized activity related tothe protected set of files in response to the received signal indicatingan occurrence of an activity corresponding to the tripwire file.

FIG. 44 illustrates a partial view of an exemplary operational flow 1500in which embodiments may be implemented. After a start operation, theoperational flow moves to a snare placement operation 1510. The snareplacement operation includes a dummy financial transaction cardidentifier and at least one valid financial transaction card identifierin a protected customer database. The inclusion of the dummy financialtransaction card identifier and the at least one valid financialtransaction card identifier in a protected database may be accomplishedin any manner. In one embodiment, the dummy financial transaction cardidentifier may be added to a protected database that already includesthe valid financial transaction card identifier. In another embodiment,the valid financial transaction card identifier may be added to aprotected database that already includes the dummy financial transactioncard identifier. In a further embodiment, the dummy financialtransaction card identifier and the valid financial transaction cardidentifier may be saved in the protected database at about the sametime. A concealment operation 1550 maintains the dummy financialtransaction card identifier dormant. A trapping operation 1580periodically monitors a status of the dummy financial transaction cardidentifier. The operational flow then moves to an end operation.

FIG. 45 illustrates an alternative embodiment of the exemplaryoperational flow 1500 of FIG. 44. The snare placement operation 1510 mayinclude at least one additional operation. The at least one additionaloperation may include an operation 1512, an operation 1514, and/or anoperation 1516. The operation 1512 includes a dummy financialtransaction card identifier and at least one valid financial transactioncard identifier in a protected customer database. The financialtransaction card including at least one of a credit card, a charge card,a debit card, a phone card, a cash card, a calling card, and/or a giftcard. The operation 1514 includes a dummy financial transaction cardidentifier and at least one valid financial transaction card identifierin a protected customer database. The financial transaction cardincludes a financial transaction card that provides a financial benefitto a holder of the card. The operation 1516 includes a dummy financialtransaction card identifier and at least one valid financial transactioncard identifier in a protected customer database. The financialtransaction card includes a financial transaction card linked to anaccount that provides a financial benefit to a holder of the card.

FIG. 46 illustrates an alternative embodiment of the exemplaryoperational flow 1500 of FIG. 44. The snare placement operation 1510 mayinclude at least one additional operation. The at least one additionaloperation may include an operation 1518, and/or an operation 1522. Theoperation 1518 includes a dummy financial transaction card identifierand at least one valid financial transaction card identifier in aprotected customer database. The financial transaction card includes anyinstrument and/or device, including but not limited to a credit card,credit plate, charge plate, courtesy card, bank services card, bankingcard, check guarantee card, debit card, electronic benefit system card,electronic benefit transfer card, and/or assistance transaction cardissued for use in obtaining at least one of credit, money, goods,services, public assistance benefits, and/or anything else of value. Theoperation 1522 includes a dummy financial transaction card number and/orname and at least one valid financial transaction card identifier in aprotected customer database.

FIG. 47 illustrates another embodiment of the exemplary operational flow1500 of FIG. 44. The snare placement operation 1510 may include at leastone additional operation. The at least one additional operation mayinclude an operation 1524, an operation 1526, and/or an operation 1528.The operation 1524 includes a dummy financial transaction cardidentifier misleadingly appearing to allow provision of a benefit to abeneficiary and at least one valid financial transaction card identifieractually allowing provision of the benefit to another beneficiary in aprotected customer database. The operation 1526 includes a dummycustomer financial transaction card identifier and at least one validcustomer financial transaction card identifier in a protected customerdatabase. The operation 1528 adds a dummy financial transaction cardidentifier into a protected customer database that includes at least onevalid financial transaction card identifier.

FIG. 48 illustrates an alternative embodiment of the exemplaryoperational flow 1500 of FIG. 44. The snare placement operation 1510 mayinclude at least one additional operation. The at least one additionaloperation may include an operation 1532. The operation 1532 facilitatesinclusion of a dummy financial transaction card identifier into aprotected customer database that includes at least one valid financialtransaction card identifier.

FIG. 49 illustrates an alternative embodiment of the exemplaryoperational flow 1500 of FIG. 44. The concealment operation 1550 mayinclude at least one additional operation. The at least one additionaloperation may include an operation 1552, an operation 1554, an operation1556, and/or an operation 1558. The operation 1552 subjects the dummyfinancial transaction card identifier to an access restriction. Forexample, the access restriction may limit access to the dummy financialtransaction card identifier only to persons having a high-level securityclearance. The operation 1554 subjects the dummy financial transactioncard identifier to a usage restriction. For example, the usagerestriction may limit use of the dummy financial transaction cardidentifier to a single person for testing purposes only. The operation1556 maintains the dummy financial transaction card identifier inactive.For example, inactivity may be maintained by blocking any changes to anaspect of the dummy financial transaction card identifier, such as acustomer name, a mailing address, and/or a credit limit. The operation1558 maintains the dummy financial transaction card identifierfinancially inactive.

FIG. 50 illustrates another embodiment of the exemplary operational flow1500 of FIG. 44. The concealment operation 1550 may include at least oneadditional operation. The at least one additional operation may includean operation 1562, an operation 1564, and/or an operation 1566. Theoperation 1562 subjects the dummy financial transaction card identifierto at least a substantial effort to preserve a confidentiality of thedummy financial transaction card identifier. The operation 1564 abstainsfrom tendering the dummy financial transaction card identifier inconjunction with a transaction. The operation 1566 instructs others thata tender of the dummy financial transaction card identifier inconjunction with any transaction is prohibited.

FIG. 51 illustrates a further embodiment of the exemplary operationalflow 1500 of FIG. 44. The trapping operation 1580 may include at leastone additional operation. The at least one additional operation mayinclude an operation 1582, an operation 1584, and/or an operation 1586.The operation 1582 periodically monitors a status of an activityassociated with the dummy financial transaction card identifier. Theoperation 1854 periodically monitors a status of a financial activityassociated with the dummy financial transaction card identifier. Theoperation 1586 periodically monitors a tender status of the dummyfinancial transaction card identifier in conjunction with a financialtransaction.

FIG. 52 illustrates another embodiment of the exemplary operational flow1500 of FIG. 44. The trapping operation 1580 may include at least oneadditional operation. The at least one additional operation may includean operation 1588, and/or an operation 1589. The operation 1588periodically monitors a received tender status of the dummy financialtransaction card identifier from at least one of a card brandassociation, a processor of a transaction involving the financialtransaction card identifier, a card issuer, a merchant, a financialinstitution, and/or a card processor. For example, a tender status ofthe dummy financial transaction card identifier may include at least oneof the Merchant's point of sale unit 410 of FIG. 18 having received thedummy financial transaction card identifier; the Merchant's point ofsale unit having communicated an “authorization request” related to thedummy financial transaction card identifier; the Processor 420 havingreceived an “authorization request” related to the dummy financialtransaction card identifier; the Processor having communicated an“authorization request” related to the dummy financial transaction cardidentifier; Card-Issuing Bank 430 having received an “authorizationrequest” related to the dummy financial transaction card identifier;and/or the Card-Issuing Bank 430 having communicated an “approval code”related to the dummy financial transaction card identifier. Theoperation 1589 periodically monitors a status of an unauthorizedactivity associated with the dummy financial transaction cardidentifier.

FIG. 53 illustrates a further embodiment of the exemplary operationalflow 1500 of FIG. 44. The operational flow may include at least oneadditional operation, illustrated as an operation 1590. The at least oneadditional operation may include an operation 1592, an operation 1594,an operation 1596, and/or an operation 1598. The operation 1592generates a human-perceivable signal indicating an occurrence of anactivity related to the protected customer database. The operation 1594generates a human-perceivable signal indicating an occurrence of anunauthorized activity related to the protected customer database. Theoperation 1596 broadcasts a human-understandable indication of anoccurrence of a activity related to the protected customer database. Theoperation 1598 facilitates application of a security measure to theprotected customer database.

FIG. 54 illustrates an exemplary environment 1600 in which embodimentsmay be implemented. The environment includes an apparatus 1605. Theapparatus includes a manager module 1610 operable to plant a fakefinancial transaction card identifier in a customer database thatincludes at least one genuine financial transaction card identifier. Theapparatus also includes a control module 1620 operable to maintain thefake financial transaction card identifier in a hidden state. Theapparatus further includes a security assessment module 1630 operable toperiodically monitor a usage state of the fake financial transactioncard identifier.

In an alternative embodiment, the security assessment module 1640further includes a security assessment module 1632 operable toperiodically monitor an unauthorized usage state of the fake financialtransaction card identifier. In another embodiment, the securityassessment module further includes a security assessment module 1634operable to periodically monitor an unauthorized tender state of thefake financial transaction card identifier.

In a further embodiment, the apparatus 1605 includes an alert module1640 operable to generate a signal perceivable by an owner and/or anadministrator of the set-of-files indicating an occurrence of anunauthorized activity related to the customer database. In anotherembodiment, the apparatus includes a transmitter module 1650 operable tobroadcast a human-understandable indication of an occurrence of anunauthorized activity related to the customer database. In a furtherembodiment, the apparatus includes a safeguard module 1660 operable tofacilitate application of a security measure to the customer database.

FIG. 55 partially illustrates an exemplary environment 1700 in whichembodiments of the operational flow 1500 of FIG. 44 and/or the apparatus1610 of FIG. 54 may be implemented. FIG. 55 illustrates an aspect of thecredit card processing system described in conjunction with FIGS. 18Aand 18B from a perspective of a merchant, illustrated as a FirstMerchant 1705. In an embodiment, the First Merchant maintains aprotected customer database 1710 that includes a valid financialtransaction card identifier for each customer (or genuine cardidentifier as described in conjunction with FIG. 54). The validfinancial transaction card identifier may be acquired in any manner. Forexample, the identifiers may be acquired from customer transactionshandled through the First Merchant's Point of sale unit 410.

The First Merchant 1705 may include a dummy financial transaction cardidentifier (or a fake card identifier as described in conjunction withFIG. 54) in their protected customer database 1710 by performing theoperational flow 1500 described in conjunction with FIG. 44. In analternative embodiment, the First Merchant may include a dummy financialtransaction card identifier in their protected customer database usingthe apparatus 1610 described in conjunction with FIG. 54. Next, theFirst Merchant maintains the dummy financial transaction card identifierdormant. For example, the dummy financial transaction card identifiercan be kept secret from everyone except an administrator of the customerdatabase. The First Merchant periodically monitors a status of the dummyfinancial transaction card identifier. For example, the First Merchantcan monitor information received from others relating to stolen andfraudulent card use, such as information from the Card-Issuing Bank 430,the Processor 420, and/or others. Appearance of the dummy financialtransaction card identifier in such information may be treated by theFirst Merchant as a change in status of the dummy financial transactioncard identifier from a dormant status to a tendered in commerce status.This First Merchant may regard a change in status of the dummy financialtransaction card identifier as indicating that a security breach hasoccurred to their customer database 1710. A human-perceivable signal maybe generated using the display 1715 indicating an occurrence of anactivity related to the protected customer database. An application of asecurity measure to the protected customer database may be facilitatedusing the security tool 1 720.

In another embodiment, a prepaid long distance telephone card issuer mayinclude a dummy prepaid telephone card identifier in its protecteddatabase that includes genuine prepaid telephone card identifiers. Theprepaid long distance telephone card issuer would maintain the dummyprepaid telephone card identifier dormant. The prepaid long distancetelephone card issuer can monitor a status of the dummy prepaidtelephone card identifier. The monitoring may include monitoringinformation generated by others indicating stolen or fraudulent prepaidtelephone card identifiers. Appearance of the dummy prepaid telephonecard identifier in such information may treated by the prepaid longdistance telephone card issuer as a change in status of dummy prepaidtelephone card identifier from a dormant status to a tendered incommerce status. This change in status of the dummy prepaid telephonecard identifier may be regarded by the prepaid long distance telephonecard issuer as an indication that a security breach has occurred totheir database.

FIG. 56 illustrates an exemplary apparatus 1800 that may be used toimplement embodiments. The apparatus includes a means 1810 forintroducing a dummy financial transaction card identifier into aprotected customer database that includes at least one valid financialtransaction card identifier. The apparatus also includes a means 1820for maintaining the dummy financial transaction card identifier dormant.The apparatus further includes means 1830 for periodically monitoring astatus of the dummy financial transaction card identifier.

In an alternative embodiment, the apparatus 1800 includes a means 1840for generating a signal perceivable by an owner and/or an administratorof the set-of-files indicating an occurrence of an unauthorized activityrelated to the protected customer database. In another embodiment, theapparatus includes a means 1850 for broadcasting a human-understandableindication of an occurrence of a unauthorized activity related to theprotected customer database. In a further means, the apparatus includesa means 1860 for facilitating application of a security measure to theprotected customer database.

FIG. 57 partially illustrates an exemplary operational flow 1900 inwhich embodiments may be implemented. After a start operation, theoperational flow moves to an integration operation 1910. The integrationoperation causes a financial transaction card account to be included ina protected set of files owned and/or administered by a second party andthat includes at least one other financial transaction card account. Aconfidentiality operation 1920 maintains the financial transaction cardaccount in a dormant state. A sentry operation 1930 periodicallymonitors a status of the financial transaction card account. Theoperational flow then moves to an end operation.

FIG. 58 illustrates an alternative embodiment of the exemplaryoperational flow 1900 of FIG. 57. The integration operation 1910 mayinclude at least one additional operation, such as an operation 1912. Atthe operation 1912 the causing a financial transaction card account tobe included in a protected set of files further includes at least one ofinitiating, applying for, and/or purchasing a financial transaction cardaccount for inclusion in a protected set of files owned and/oradministered by a second party. The set of files further includes atleast one other financial transaction card account. The sentry operation1930 may include at least one additional operation, such as an operation1932. The operation 1932 periodically monitors a status of the financialtransaction card account for a status corresponding with the financialtransaction card being tendered in conjunction with a financialtransaction.

FIG. 59 illustrates an alternative embodiment of the exemplaryoperational flow 1900 of FIG. 57. The operational flow 1900 may includeat least one additional operation, such as an operation 1940. Theoperation 1940 generates a signal indicating that security of theprotected set of files has been compromised.

FIG. 60 illustrates an exemplary embodiment of a system 2000 thatincludes an exemplary computer-implemented device 2005 in whichembodiments may be implemented. The computer-implemented device includesa first module 2010 operable to cause a financial transaction cardaccount to be included in a protected set of files owned and/oradministered by a second party. The protected set of files includes atleast one other financial transaction card account. Thecomputer-implemented device also includes a second module 2020 operableto maintain the financial transaction card account in a dormant state.The computer-implemented device further includes a third module 2030operable to periodically monitor a status of the financial transactioncard account.

FIG. 61 illustrates an exemplary environment 2100 that includes anexemplary apparatus 2105 in which embodiments may be implemented. Theapparatus includes a means 2110 for causing a financial transaction cardaccount to be included in a protected set of files owned and/oradministered by a second party and that includes at least one otherfinancial transaction card account. The apparatus also includes a means2120 for maintaining the financial transaction card account in a dormantstate. The apparatus further includes a means 2130 for periodicallymonitoring a status of the financial transaction card account.

The foregoing detailed description has set forth various embodiments ofthe devices and/or processes via the use of block diagrams, flowdiagrams, operation diagrams, flowcharts, illustrations, and/orexamples. Insofar as such block diagrams, operation diagrams,flowcharts, illustrations, and/or examples contain one or more functionsand/or operations, it will be understood that each function and/oroperation within such block diagrams, operation diagrams, flowcharts,illustrations, or examples can be implemented, individually and/orcollectively, by a wide range of hardware, software, firmware, orvirtually any combination thereof unless otherwise indicated. Aparticular block diagram, operation diagram, flowchart, illustration,environment, and/or example should not be interpreted as having anydependency or requirement relating to any one or combination ofcomponents illustrated therein. For example, in certain instances, oneor more elements of an environment may be deemed not necessary andomitted. In other instances, one or more other elements may be deemednecessary and added.

Those having skill in the art will recognize that the state of the arthas progressed to the point where there is little distinction leftbetween hardware and software implementations of aspects of systems; theuse of hardware or software is generally (but not always, in that incertain contexts the choice between hardware and software can becomesignificant) a design choice representing cost vs. efficiency tradeoffs.Those having skill in the art will appreciate that there are variousvehicles by which processes and/or systems and/or other technologiesdescribed herein can be effected (e.g., hardware, software, and/orfirmware), and that the preferred vehicle will vary with the context inwhich the processes and/or systems and/or other technologies aredeployed. For example, if an implementer determines that speed andaccuracy are paramount, the implementer may opt for a mainly hardwareand/or firmware vehicle; alternatively, if flexibility is paramount, theimplementer may opt for a mainly software implementation; or, yet againalternatively, the implementer may opt for some combination of hardware,software, and/or firmware. Hence, there are several possible vehicles bywhich the processes and/or devices and/or other technologies describedherein may be effected, none of which is inherently superior to theother in that any vehicle to be utilized is a choice dependent upon thecontext in which the vehicle will be deployed and the specific concerns(e.g., speed, flexibility, or predictability) of the implementer, any ofwhich may vary. Those skilled in the art will recognize that opticalaspects of implementations will typically employ optically-orientedhardware, software, and or firmware.

In addition, those skilled in the art will appreciate that themechanisms of the subject matter described herein are capable of beingdistributed as a program product in a variety of forms, and that anillustrative embodiment of the subject matter described herein appliesequally regardless of the particular type of signal-bearing media usedto actually carry out the distribution. Examples of a signal-bearingmedia include, but are not limited to, the following: recordable typemedia such as floppy disks, hard disk drives, CD ROMs, digital tape, andcomputer memory; and transmission type media such as digital and analogcommunication links using TDM or IP based communication links (e.g.,packet links).

It will be understood by those within the art that, in general, termsused herein, and especially in the appended claims (e.g., bodies of theappended claims) are generally intended as “open” terms (e.g., the term“including” should be interpreted as “including but not limited to,” theterm “having” should be interpreted as “having at least,” the term“includes” should be interpreted as “includes but is not limited to,”etc.). It will be further understood by those within the art that if aspecific number of an introduced claim recitation is intended, such anintent will be explicitly recited in the claim, and in the absence ofsuch recitation no such intent is present. For example, as an aid tounderstanding, the following appended claims may contain usage of theintroductory phrases “at least one” and “one or more” to introduce claimrecitations. However, the use of such phrases should not be construed toimply that the introduction of a claim recitation by the indefinitearticles “a” or “an” limits any particular claim containing suchintroduced claim recitation to inventions containing only one suchrecitation, even when the same claim includes the introductory phrases“one or more” or “at least one” and indefinite articles such as “a” or“an” (e.g., “a” and/or “an” should typically be interpreted to mean “atleast one” or “one or more”); the same holds true for the use ofdefinite articles used to introduce claim recitations. In addition, evenif a specific number of an introduced claim recitation is explicitlyrecited, those skilled in the art will recognize that such recitationshould typically be interpreted to mean at least the recited number(e.g., the bare recitation of “two recitations,” without othermodifiers, typically means at least two recitations, or two or morerecitations). Furthermore, in those instances where a conventionanalogous to “at least one of A, B, and C, etc.” is used, in generalsuch a construction is intended in the sense one having skill in the artwould understand the convention (e.g., “a system having at least one ofA, B, and C” would include but not be limited to systems that have Aalone, B alone, C alone, A and B together, A and C together, B and Ctogether, and/or A, B, and C together, etc.). In those instances where aconvention analogous to “at least one of A, B, or C, etc.” is used, ingeneral such a construction is intended in the sense one having skill inthe art would understand the convention (e.g., “a system having at leastone of A, B, or C” would include but not be limited to systems that haveA alone, B alone, C alone, A and B together, A and C together, B and Ctogether, and/or A, B, and C together, etc.).

The herein described aspects depict different components containedwithin, or connected with, different other components. It is to beunderstood that such depicted architectures are merely exemplary, andthat in fact many other architectures can be implemented which achievethe same functionality. In a conceptual sense, any arrangement ofcomponents to achieve the same functionality is effectively “associated”such that the desired functionality is achieved. Hence, any twocomponents herein combined to achieve a particular functionality can beseen as “associated with” each other such that the desired functionalityis achieved, irrespective of architectures or intermedial components.Likewise, any two components so associated can also be viewed as being“operably connected,” or “operably coupled,” to each other to achievethe desired functionality. Any two components capable of being soassociated can also be viewed as being “operably couplable” to eachother to achieve the desired functionality. Specific examples ofoperably couplable include but are not limited to physically mateableand/or physically interacting components and/or wirelessly interactableand/or wirelessly interacting components.

While various aspects and embodiments have been disclosed herein, otheraspects and embodiments will be apparent to those skilled in the art.The various aspects and embodiments disclosed herein are for purposes ofillustration and are not intended to be limiting, with the true scopeand spirit being indicated by the following claims.

1. A method comprising: including a tripwire file into a protected setof files that includes at least one normal file; facilitating acommunication to a second party of at least a portion of the protectedset of files; and receiving a signal indicating an occurrence of anactivity related to the tripwire file.
 2. The method of claim 1, whereinthe including a tripwire file into a protected set of files thatincludes at least one normal file further includes: including a tripwirefile into a protected database that includes at least one normal file.3. The method of claim 1, wherein the including a tripwire file into aprotected set of files that includes at least one normal file furtherincludes: including a tripwire account having a limited functionalityinto a protected set of files that includes at least one regular accounthaving a full functionality.
 4. The method of claim 1, wherein theincluding a tripwire file into a protected set of files that includes atleast one normal file further includes: including a record of a tripwireaccount having a limited functionality into a protected set of filesthat includes at least one record of valid account having a fullfunctionality.
 5. The method of claim 1, wherein the including atripwire file into a protected set of files that includes at least onenormal file further includes: including a tripwire file providing alimited benefit into a protected set of files that includes at least oneregular file providing a full benefit.
 6. The method of claim 1, whereinthe including a tripwire file into a protected set of files thatincludes at least one normal file further includes: including a tripwirefile misleadingly appearing to allow provision of a benefit to abeneficiary into a protected set of files that includes at least oneregular file actually allowing provision of the benefit to anotherbeneficiary.
 7. The method of claim 1, wherein the including a tripwirefile into a protected set of files that includes at least one normalfile further includes: including a tripwire file facilitating provisionof a token and/or de minimis benefit into a protected set of files thatincludes at least one regular file facilitating provision of a fullbenefit.
 8. The method of claim 1, wherein the including a tripwire fileinto a protected set of files that includes at least one normal filefurther includes: including a tripwire file subtype into a protected setof files that includes at least one normal file subtype.
 9. The methodof claim 1, wherein the including a tripwire file into a protected setof files that includes at least one normal file further includes:including a tripwire file subtype into a protected set of files thatincludes at least one normal file subtype, wherein the tripwire fileincludes data and/or a characteristic usable in discriminating between atripwire file subtype and an normal file subtype.
 10. The method ofclaim 1, wherein the including a tripwire file into a protected set offiles that includes at least one normal file further includes: includinga tripwire file and a tripwire file identification tool into a protectedset of files that includes at least one normal file.
 11. The method ofclaim 10, wherein the including a tripwire file and a tripwire fileidentification tool into a protected set of files that includes at leastone normal file further includes: causing a tripwire file to be includedin a protected set of files that includes at least one normal file; andcausing a tripwire file identification tool to be included another setof files.
 12. The method of claim 1, wherein the including a tripwirefile into a protected set of files that includes at least one normalfile further includes: including a tripwire file into a protected set offiles that includes at least one normal file, the tripwire file at leastsubstantially lacking at least one of a name, an attribute, anassociation, an operation, an interaction, a collaboration, avisibility, a state, a generalization, a relationship, and/or aresponsibility element present in the at least one normal file.
 13. Themethod of claim 1, wherein the including a tripwire file into aprotected set of files that includes at least one normal file furtherincludes: including a tripwire file into a protected set of files thatincludes at least one normal file, the tripwire file having at least oneof a name, an attribute, an association, an operation, an interaction, acollaboration, a visibility, a state, a generalization, a relationship,and/or a responsibility that is at least substantially different fromeach file of the at least one normal file.
 14. The method of claim 1,wherein the including a tripwire file into a protected set of files thatincludes at least one normal file further includes: including a tripwirefile into a protected set of files that includes at least one normalfile, the tripwire file having a property that does not facilitatereturn of an approval code in response to a credit card authorizationrequest and each normal file of the at least one normal file having aproperty that does facilitate return of an approval code in response toa credit card authorization request.
 15. The method of claim 1, whereinthe including a tripwire file into a protected set of files thatincludes at least one normal file further includes: including a tripwirefile into a protected set of files that includes at least one normalfile, the tripwire file having a property that does not facilitate areturn of an approval in response to a health insurance claim and eachnormal file of the at least one normal file having a property that doesfacilitate a return of an approval in response to a health insuranceclaim.
 16. The method of claim 1, wherein the including a tripwire fileinto a protected set of files that includes at least one normal filefurther includes: including in a protected set of files a tripwire filehaving a usability at least substantially limited to facilitatingdetection of a security breach of the protected set of files.
 17. Themethod of claim 1, wherein the facilitating a communication to a secondparty of at least a portion of the protected set of files furtherincludes: facilitating a communication to a second party of at least aportion of the protected set of files in at least one of anuntransformed, a transformed, and/or a secure configuration.
 18. Themethod of claim 1, wherein the receiving a signal indicating anoccurrence of an activity related to the tripwire file further includes:receiving a signal originated by at least one of the second party and/orby a third party and indicating an occurrence of an activity related tothe tripwire file.
 19. The method of claim 1, wherein the receiving asignal indicating an occurrence of an activity related to the tripwirefile further includes: receiving a signal indicating an occurrence of anactivity related to the tripwire file, wherein the activity includes atleast one of a credit card charge authorization request, an informationrequest, an account attribute change request, a funds transfer request,an inquiry, a query, a charge, a transaction, a transfer request, adeposit, a claim, a correction, a change of attributes request, apayment, a refund request, and/or a benefit transfer related to thetripwire file.
 20. The method of claim 1, further comprising; inresponse to the receiving a signal indicating an occurrence of anactivity related to the tripwire file, generating a human-perceivablesignal indicating an occurrence of an unauthorized activity related tothe protected set of files.
 21. The method of claim 1, furthercomprising; facilitating an application of a security measure to theprotected set of files in response to the receiving a signal indicatingan occurrence of an activity related to the tripwire file.
 22. Acomputer program product comprising: (a) program instructions operableto perform a process in a computing device, the process comprising:including a tripwire file into a protected set of files that includes atleast one normal file; facilitating a communication to a second party ofat least a portion of the protected set of files; and receiving a signalindicating an occurrence of an activity related to the tripwire file;and (b) a computer-readable signal-bearing medium bearing the programinstructions.
 23. The computer program product of claim 22, wherein theprocess further comprises: generating a signal indicating an occurrenceof an unauthorized activity related to the protected set of files inresponse to the received signal indicating an occurrence of an activityrelated to the tripwire file.
 24. The computer program product of claim22, wherein the process further comprises: facilitating application of asecurity measure to the protected set of files in response to thereceived signal indicating an occurrence of an activity related to thetripwire file.
 25. The computer program product of claim 22, wherein thecomputer-readable signal-bearing medium includes a computer storagemedium.
 26. The computer program product of claim 22, wherein thecomputer-readable signal-bearing medium includes a communication medium.27. An apparatus comprising: means for including a tripwire file into aprotected set of files that includes at least one normal file; means forfacilitating a communication to a second party of at least a portion ofthe protected set of files; and means for receiving a signal indicatingan occurrence of an activity corresponding to the tripwire file.
 28. Theapparatus of claim 27, further comprising; means for facilitatingapplication of a security measure to the protected set of files inresponse to the received signal indicating an occurrence of an activitycorresponding to the tripwire file.
 29. The apparatus of claim 27,further comprising; means for generating a human-perceivable signalindicating an occurrence of an unauthorized activity related to theprotected set of files in response to the received signal indicating anoccurrence of an activity corresponding to the tripwire file.